BigW Consortium Gitlab

workhorse.rb 5.5 KB
Newer Older
1 2
require 'base64'
require 'json'
3
require 'securerandom'
4
require 'uri'
5 6 7

module Gitlab
  class Workhorse
8 9 10 11
    SEND_DATA_HEADER = 'Gitlab-Workhorse-Send-Data'.freeze
    VERSION_FILE = 'GITLAB_WORKHORSE_VERSION'.freeze
    INTERNAL_API_CONTENT_TYPE = 'application/vnd.gitlab-workhorse+json'.freeze
    INTERNAL_API_REQUEST_HEADER = 'Gitlab-Workhorse-Api-Request'.freeze
12
    NOTIFICATION_CHANNEL = 'workhorse:notifications'.freeze
13 14 15 16

    # Supposedly the effective key size for HMAC-SHA256 is 256 bits, i.e. 32
    # bytes https://tools.ietf.org/html/rfc4868#section-2.6
    SECRET_LENGTH = 32
17

Jacob Vosmaer committed
18
    class << self
19 20
      def git_http_ok(repository, is_wiki, user, action)
        project = repository.project
21
        repo_path = repository.path_to_repo
22
        params = {
23
          GL_ID: Gitlab::GlId.gl_id(user),
24
          GL_REPOSITORY: Gitlab::GlRepository.gl_repository(project, is_wiki),
25
          RepoPath: repo_path
26
        }
27

28
        if Gitlab.config.gitaly.enabled
29
          address = Gitlab::GitalyClient.address(project.repository_storage)
30
          params[:Repository] = repository.gitaly_repository.to_h
31 32 33

          feature_enabled = case action.to_s
                            when 'git_receive_pack'
34 35
                              # Disabled for now, see https://gitlab.com/gitlab-org/gitaly/issues/172
                              false
36 37 38 39 40 41 42 43
                            when 'git_upload_pack'
                              Gitlab::GitalyClient.feature_enabled?(:post_upload_pack)
                            when 'info_refs'
                              true
                            else
                              raise "Unsupported action: #{action}"
                            end

44
          params[:GitalyAddress] = address if feature_enabled
45
        end
46 47

        params
48 49
      end

50 51 52 53
      def lfs_upload_ok(oid, size)
        {
          StoreLFSPath: "#{Gitlab.config.lfs.storage_path}/tmp/upload",
          LfsOid: oid,
54
          LfsSize: size
55 56 57 58 59 60 61
        }
      end

      def artifact_upload_ok
        { TempPath: ArtifactUploader.artifacts_upload_path }
      end

62
      def send_git_blob(repository, blob)
63
        params = {
64
          'RepoPath' => repository.path_to_repo,
65
          'BlobId' => blob.id
66 67 68
        }

        [
69
          SEND_DATA_HEADER,
Douwe Maan committed
70
          "git-blob:#{encode(params)}"
71 72
        ]
      end
73

74
      def send_git_archive(repository, ref:, format:)
75 76
        format ||= 'tar.gz'
        format.downcase!
77
        params = repository.archive_metadata(ref, Gitlab.config.gitlab.repository_downloads_path, format)
78 79 80 81
        raise "Repository or ref not found" if params.empty?

        [
          SEND_DATA_HEADER,
Douwe Maan committed
82
          "git-archive:#{encode(params)}"
83 84
        ]
      end
85

Douwe Maan committed
86
      def send_git_diff(repository, diff_refs)
87
        params = {
Douwe Maan committed
88
          'RepoPath'  => repository.path_to_repo,
89
          'ShaFrom'   => diff_refs.base_sha,
90
          'ShaTo'     => diff_refs.head_sha
91 92 93 94 95
        }

        [
          SEND_DATA_HEADER,
          "git-diff:#{encode(params)}"
96 97
        ]
      end
98

Douwe Maan committed
99
      def send_git_patch(repository, diff_refs)
100
        params = {
101
          'RepoPath'  => repository.path_to_repo,
102
          'ShaFrom'   => diff_refs.base_sha,
Douwe Maan committed
103
          'ShaTo'     => diff_refs.head_sha
104 105 106
        }

        [
107
          SEND_DATA_HEADER,
108 109 110 111
          "git-format-patch:#{encode(params)}"
        ]
      end

112 113 114 115 116 117 118 119 120 121 122 123
      def send_artifacts_entry(build, entry)
        params = {
          'Archive' => build.artifacts_file.path,
          'Entry' => Base64.encode64(entry.path)
        }

        [
          SEND_DATA_HEADER,
          "artifacts-entry:#{encode(params)}"
        ]
      end

124 125 126 127 128
      def terminal_websocket(terminal)
        details = {
          'Terminal' => {
            'Subprotocols' => terminal[:subprotocols],
            'Url' => terminal[:url],
129
            'Header' => terminal[:headers],
130
            'MaxSessionTime' => terminal[:max_session_time]
131 132 133 134 135 136 137
          }
        }
        details['Terminal']['CAPem'] = terminal[:ca_pem] if terminal.has_key?(:ca_pem)

        details
      end

138
      def version
139 140
        path = Rails.root.join(VERSION_FILE)
        path.readable? ? path.read.chomp : 'unknown'
141 142
      end

143 144
      def secret
        @secret ||= begin
145
          bytes = Base64.strict_decode64(File.read(secret_path).chomp)
146 147 148 149
          raise "#{secret_path} does not contain #{SECRET_LENGTH} bytes" if bytes.length != SECRET_LENGTH
          bytes
        end
      end
150

151 152
      def write_secret
        bytes = SecureRandom.random_bytes(SECRET_LENGTH)
153
        File.open(secret_path, 'w:BINARY', 0600) do |f|
154
          f.chmod(0600) # If the file already existed, the '0600' passed to 'open' above was a no-op.
155 156 157
          f.write(Base64.strict_encode64(bytes))
        end
      end
158

159
      def verify_api_request!(request_headers)
160 161 162 163
        decode_jwt(request_headers[INTERNAL_API_REQUEST_HEADER])
      end

      def decode_jwt(encoded_message)
164
        JWT.decode(
165
          encoded_message,
166 167
          secret,
          true,
168
          { iss: 'gitlab-workhorse', verify_iss: true, algorithm: 'HS256' }
169 170 171 172
        )
      end

      def secret_path
173
        Gitlab.config.workhorse.secret_file
174
      end
175

176
      def set_key_and_notify(key, value, expire: nil, overwrite: true)
177 178 179
        Gitlab::Redis.with do |redis|
          result = redis.set(key, value, ex: expire, nx: !overwrite)
          if result
180
            redis.publish(NOTIFICATION_CHANNEL, "#{key}=#{value}")
181 182 183 184 185 186 187
            value
          else
            redis.get(key)
          end
        end
      end

188
      protected
189

190 191 192
      def encode(hash)
        Base64.urlsafe_encode64(JSON.dump(hash))
      end
193 194
    end
  end
Jacob Vosmaer committed
195
end